A new global survey reveals a widening gap between how secure people think they are online and how vulnerable their habits actually remain in the age of Artificial Intelligence (AI).

As AI reshapes everything from productivity tools to creative work, it is also quietly transforming the cyber threat landscape. Phishing attacks, once clumsy and easy to spot, are becoming more convincing, more targeted, and more difficult to detect, even for experienced users.

A new Global State of Authentication survey commissioned by cybersecurity company Yubico paints a sobering picture of how unprepared many individuals and organizations remain. The study gathered responses from 18,000 employed adults across nine countries, including the United States, United Kingdom, France, Germany, Japan, and Australia, offering a broad snapshot of cybersecurity habits at work and at home.

The findings reveal a growing disconnect between perceived security and real-world behavior, a gap that cybercriminals are increasingly exploiting.

Phishing Isn't Slowing Down, It's Getting Smarter

One of the survey's most striking findings is how widespread phishing exposure has become. Forty-four percent of respondents said they had interacted with a phishing message in the past year, whether by clicking a link, opening an attachment, or engaging with the message in some way.

Yubico

Even more concerning is the role AI now plays in making these attacks harder to recognize. Seventy percent of respondents believe phishing attempts have become more successful because of AI, while 78 percent say they have become more sophisticated overall.

When shown an example of a phishing email during the survey, more than half of respondents either believed it was legitimate or were unsure, highlighting just how thin the margin has become between real communication and deception.

Gen Z Is More Vulnerable Than Expected

Contrary to assumptions that younger, more tech-savvy users are better equipped to spot scams, the survey found that Gen Z reported the highest level of phishing engagement, with 62 percent admitting they had interacted with a phishing attempt in the past year.

Yubico

Yet when it came to identifying a phishing message correctly, performance was nearly identical across generations. Gen Z, millennials, Gen X, and baby boomers all hovered around the mid-40 percent range, underscoring a key reality: no demographic is immune.

Yubico

The data suggests that familiarity with digital tools does not necessarily translate to stronger security habits, especially as AI blurs the lines between authentic and fraudulent messages.

Passwords Persist, Even as Trust in Them Fades

Despite growing awareness that passwords are vulnerable, they remain deeply entrenched. According to the survey, only 26 percent of respondents consider usernames and passwords to be the most secure authentication method, yet they are still the most commonly used.

More than half of respondents rely on passwords for work accounts, and 60 percent use them for personal accounts. Alarmingly, 29 percent said they do not have multi-factor authentication (MFA) enabled on their personal email, even though email often serves as the gateway to banking, social media, and mobile carrier accounts.

This persistence highlights a familiar pattern in cybersecurity: people recognize risk but struggle to change behavior without stronger defaults or clearer incentives.

MFA Adoption Remains Uneven at Work

The workplace offers little reassurance. Only 48 percent of respondents said their company uses MFA across all applications and services, while 40 percent reported never receiving cybersecurity training from their employer.

Yubico

This lack of institutional consistency may help explain why phishing remains such an effective entry point for attackers. As Ronnie Manning, chief brand advocate at Yubico, noted in response to the findings, "Individuals are complacent about securing their own online accounts, and organizations appear slow to adopt security best practices."

Rising Confidence in Hardware-Based Authentication

While the survey reveals troubling gaps, it also points to a shift in how people think about security. Confidence in phishing-resistant authentication methods, such as hardware security keys and device-bound passkeys, is growing, particularly in the US and UK.

In the UK, 37 percent of respondents now believe these methods are the most secure, up from 17 percent the previous year. The US showed a similar trend, with 34 percent identifying hardware-backed authentication as the most secure option, nearly doubling year over year.

This change suggests that awareness is catching up to risk, even if adoption has not yet followed at the same pace.

The AI Effect on Cybersecurity Anxiety

Across all surveyed regions, concern about AI-driven threats has risen sharply. Countries including Japan, Sweden, the UK, and the US all saw double-digit increases in worry about AI's ability to compromise personal and business accounts.

The anxiety is not unfounded. As AI-generated text, voice, and imagery become more convincing, traditional security signals, spelling errors, awkward phrasing, suspicious formatting, are disappearing.

What remains is a need for stronger, phishing-resistant authentication methods that do not rely solely on human judgment.

Closing the Gap Between Awareness and Action

The survey's overarching message is not that people are unaware of cybersecurity risks, but that awareness alone is not enough. Convenience, habit, and incomplete implementation continue to undermine security efforts at both the individual and organizational levels.

As Cybersecurity Awareness Month approaches, the findings highlight a clear priority: moving beyond passwords and inconsistent MFA toward stronger, hardware-backed authentication that reduces reliance on human error.

The tools exist. The challenge now lies in adoption, and in closing the growing gap between how secure people believe they are and how exposed they actually remain in an AI-driven world.